Json path event trigger

Identity Security Cloud (ISC) ISC Discussion and Questions
1

I have an existing event trigger I am trying to add additional criteria to and am looking for some ideas on the json path. Basically right now, the criteria is:

$.changes[?(@.attribute == "accountingUnit" || @.attribute == "legalEntity")]

and I am trying to add in filter criteria to only send event if positionCode is also included in the event, but either accountingUnit OR legalEntity changes with

$.changes[?(@.attribute == "positionCode" && (@.attribute == "accountingUnit" || @.attribute == "legalEntity"))]

Here is a sample event i have been testing with:

{
        "identity": {
            "id": "2c9180838222dcdc0182265f16427ce5",
            "name": "21097371",
            "type": "IDENTITY"
        },
        "changes": [
            {
                "attribute": "positionDescription",
                "oldValue": "FABRICATION SHIFT C OPERATOR",
                "newValue": "LAMINATING SHIFT D OPERATOR"
            },
            {
                "attribute": "positionShortDescription",
                "oldValue": "303017",
                "newValue": "375573"
            },
            {
                "attribute": "legalEntity",
                "oldValue": "530-G2423",
                "newValue": "530-G5426"
            },
            {
                "attribute": "accountingUnitDescription",
                "oldValue": "G.Goole (265) - LAMINATING SHIFT C",
                "newValue": "G.Goole (265) - LAMINATING SHIFT D"
            },
            {
                "attribute": "positionCode",
                "oldValue": "303017",
                "newValue": "375573"
            }
        ],
        "_metadata": {
            "triggerType": "fireAndForget",
            "triggerId": "idn:identity-attributes-changed",
            "invocationId": "4c50578a-aa63-422f-9220-9bbbfa3541ae"
        }
    }

For comparison, i have done something similar on a different event and it seems to work OK.

filter is

$.requestedItems[?(@.operation != "Remove" && (@.id == "e10bf8643dd8471396880d7e7e51a489" || @.id == "cea271971fe44e5abf09ea38ae876fe7"))]

and the event is

{
        "accessRequestId": "19176f8595224785872896ac7d25ead0",
        "requestedFor": {
            "id": "2c9180878222dc6701822b2845b11ef8",
            "name": "Chandru, Swathi",
            "type": "IDENTITY"
        },
        "requestedItems": [
            {
                "id": "e10bf8643dd8471396880d7e7e51a489",
                "name": "GHR Security Administrator - Firefighter",
                "description": "HRIT App Sec use only - This role grants firefighter access to perform Application Security functions in GHR.",
                "type": "ACCESS_PROFILE",
                "operation": "Add",
                "comment": "Need access to handle error BODs created as part of monthly user purge activity in IFS"
            }
        ],
        "requestedBy": {
            "type": "IDENTITY",
            "id": "2c9180878222dc6701822b2845b11ef8",
            "name": "21039278"
        },
        "_metadata": {
            "callbackURL": "https://koch.api.identitynow.com/beta/trigger-invocations/85f92719-50a9-4631-aede-9d5c9e740b86/complete",
            "secret": "eba943f7-bda5-4682-9d1d-adcd32c9a902",
            "triggerType": "requestResponse",
            "triggerId": "idn:access-request-pre-approval",
            "invocationId": "85f92719-50a9-4631-aede-9d5c9e740b86"
        }
    }

Appreciate any ideas anyone has

Thank you,
Caleb

2

Try this.

$[?($.changes.*.attribute contains "positionCode")].changes[?(@.attribute == "legalEntity" || @.attribute == "accountingUnit")]

It gets tricky when you try to check if multiple attributes both exist at the same time. We have to get crafty. The first part of the above expression creates a list of attribute names, and then checks if positionCode is one of the names.

$.changes.*.attribute produces this result:

[
	"positionDescription",
	"positionShortDescription",
	"accountingUnit",
	"accountingUnitDescription",
	"positionCode"
]

$[?($.changes.*.attribute contains "positionCode")] will match your positionCode while also returning the original input object.

[
	{
		"identity": {
			"name": "21097371",
			"id": "2c9180838222dcdc0182265f16427ce5",
			"type": "IDENTITY"
		},
		"changes": [
			{
				"newValue": "LAMINATING SHIFT D OPERATOR",
				"attribute": "positionDescription",
				"oldValue": "FABRICATION SHIFT C OPERATOR"
			},
			{
				"newValue": "375573",
				"attribute": "positionShortDescription",
				"oldValue": "303017"
			},
			{
				"newValue": "530-G5426",
				"attribute": "accountingUnit",
				"oldValue": "530-G2423"
			},
			{
				"newValue": "G.Goole (265) - LAMINATING SHIFT D",
				"attribute": "accountingUnitDescription",
				"oldValue": "G.Goole (265) - LAMINATING SHIFT C"
			},
			{
				"newValue": "375573",
				"attribute": "positionCode",
				"oldValue": "303017"
			}
		],
		"_metadata": {
			"triggerId": "idn:identity-attributes-changed",
			"triggerType": "fireAndForget",
			"invocationId": "4c50578a-aa63-422f-9220-9bbbfa3541ae"
		}
	}
]

So the first part of the expression guarantees that positionCode is one of the attributes, while returning the original object. Now we are free to check if one of the other two attributes is also present.
$[?($.changes.*.attribute contains "positionCode")].changes[?(@.attribute == "legalEntity" || @.attribute == "accountingUnit")]

[
	{
		"newValue": "530-G5426",
		"attribute": "accountingUnit",
		"oldValue": "530-G2423"
	}
]

Because the expression found an item that matches, it is considered a success and the trigger will send the event. If at any point the expression doesn’t match anything, the trigger won’t fire. For example, if positionCode wasn’t present, the result of the expression would be:

[]

And the trigger won’t fire.

3

Awesome, that worked! Appreciate the assist and thank you very much for explaining it out too. Have a good weekend